latchset / ipa-custodia-selinux Goto Github PK
View Code? Open in Web Editor NEWSELinux policies for FreeIPA's ipa-custodia.service
License: GNU General Public License v3.0
SELinux policies for FreeIPA's ipa-custodia.service
License: GNU General Public License v3.0
When executing binaries like /usr/bin/pki we should transition to adifferent dopmain so rules like allow execmem are only given to the specific bianry and not necesary for the whole custodia process. In general this wil allow to restrict what can access ther nss databases too.
@wrabcak here are some more AVCs with explanation.
type=AVC msg=audit(1492697537.948:2819): avc: denied { open } for pid=17847 comm="ipa-custodia" path="/var/log/ipa-custodia.audit.log" dev="dm-0" ino=275886 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492697538.114:2820): avc: denied { execute } for pid=17848 comm="ipa-custodia" name="ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492697538.114:2821): avc: denied { read open } for pid=17848 comm="ipa-custodia" path="/usr/sbin/ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492697538.114:2822): avc: denied { execute_no_trans } for pid=17848 comm="ipa-custodia" path="/usr/sbin/ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492697537.618:2818): avc: denied { write } for pid=17847 comm="ipa-custodia" name="nss" dev="dm-0" ino=270508 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1492697538.153:2823): avc: denied { net_admin } for pid=17847 comm="ipa-custodia" capability=12 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1492700622.817:3544): avc: denied { connectto } for pid=19970 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1492700622.829:3545): avc: denied { search } for pid=20363 comm="ipa-custodia" name="19970" dev="proc" ino=264879 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492700622.830:3546): avc: denied { read } for pid=20363 comm="ipa-custodia" name="loginuid" dev="proc" ino=264880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700622.830:3547): avc: denied { open } for pid=20363 comm="ipa-custodia" path="/proc/19970/loginuid" dev="proc" ino=264880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700622.830:3548): avc: denied { getattr } for pid=20363 comm="ipa-custodia" path="/proc/19970/loginuid" dev="proc" ino=264880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700622.944:3549): avc: denied { dac_override } for pid=20363 comm="ipa-custodia" capability=1 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1492700622.945:3550): avc: denied { read } for pid=20363 comm="ipa-custodia" name="password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700622.945:3551): avc: denied { open } for pid=20363 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700622.945:3552): avc: denied { getattr } for pid=20363 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700841.361:3598): avc: denied { connectto } for pid=19974 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1492701017.714:3633): avc: denied { search } for pid=20507 comm="ipa-custodia" name="20462" dev="proc" ino=275475 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492701317.490:3734): avc: denied { connectto } for pid=21947 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1492701317.502:3735): avc: denied { search } for pid=22045 comm="ipa-custodia" name="21947" dev="proc" ino=295678 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492701317.502:3736): avc: denied { read } for pid=22045 comm="ipa-custodia" name="loginuid" dev="proc" ino=298094 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701317.502:3737): avc: denied { open } for pid=22045 comm="ipa-custodia" path="/proc/21947/loginuid" dev="proc" ino=298094 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701317.502:3738): avc: denied { getattr } for pid=22045 comm="ipa-custodia" path="/proc/21947/loginuid" dev="proc" ino=298094 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701317.641:3739): avc: denied { dac_override } for pid=22045 comm="ipa-custodia" capability=1 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1492701317.641:3740): avc: denied { read } for pid=22045 comm="ipa-custodia" name="password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701317.641:3741): avc: denied { open } for pid=22045 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701317.641:3742): avc: denied { getattr } for pid=22045 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.053:3796): avc: denied { read } for pid=22190 comm="ipa-custodia" name="password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.053:3795): avc: denied { dac_override } for pid=22190 comm="ipa-custodia" capability=1 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1492701579.054:3797): avc: denied { open } for pid=22190 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.054:3798): avc: denied { getattr } for pid=22190 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.085:3799): avc: denied { read } for pid=22191 comm="pki" name="passwd" dev="dm-0" ino=281800 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.086:3800): avc: denied { open } for pid=22191 comm="pki" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=281800 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.086:3801): avc: denied { getattr } for pid=22191 comm="pki" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=281800 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.086:3802): avc: denied { write } for pid=22191 comm="pki" name="nss" dev="dm-0" ino=270508 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1492701579.086:3803): avc: denied { connectto } for pid=22191 comm="pki" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1492701579.133:3804): avc: denied { create } for pid=22191 comm="pki" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1492701579.133:3805): avc: denied { bind } for pid=22191 comm="pki" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1492701579.133:3806): avc: denied { node_bind } for pid=22191 comm="pki" saddr=::1 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1492701579.143:3807): avc: denied { execute } for pid=22192 comm="pki" name="ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.143:3808): avc: denied { read open } for pid=22192 comm="pki" path="/usr/sbin/ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.143:3809): avc: denied { execute_no_trans } for pid=22192 comm="pki" path="/usr/sbin/ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.913:3812): avc: denied { execmem } for pid=22198 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=process permissive=1
# rpm -qa selinux-policy custodia ipa-server
ipa-server-4.5.0-7.el7.x86_64
custodia-0.3.1-2.el7.noarch
selinux-policy-3.13.1-144.el7.noarch
type=AVC msg=audit(1492776915.640:1159): avc: denied { create } for pid=13406 comm="ipa-custodia" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492776915.640:1160): avc: denied { connect } for pid=13406 comm="ipa-custodia" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492776915.641:1161): avc: denied { getattr } for pid=13406 comm="ipa-custodia" path="socket:[103026]" dev="sockfs" ino=103026 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492776916.210:1163): avc: denied { create } for pid=13413 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492776916.211:1164): avc: denied { bind } for pid=13413 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492776916.211:1165): avc: denied { getattr } for pid=13413 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492776916.211:1166): avc: denied { nlmsg_read } for pid=13413 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492777248.176:1241): avc: denied { create } for pid=13664 comm="ipa-custodia" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492777248.176:1242): avc: denied { connect } for pid=13664 comm="ipa-custodia" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492777248.177:1243): avc: denied { getattr } for pid=13664 comm="ipa-custodia" path="socket:[111728]" dev="sockfs" ino=111728 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492777421.112:1278): avc: denied { create } for pid=13725 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492777421.112:1279): avc: denied { bind } for pid=13725 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492777421.112:1280): avc: denied { getattr } for pid=13725 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492777421.112:1281): avc: denied { nlmsg_read } for pid=13725 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.